CVE-2026-25990
ADVISORY - githubSummary
Impact
An out-of-bounds write may be triggered when loading a specially crafted PSD image. Pillow >= 10.3.0 users are affected.
Patches
Pillow 12.1.1 will be released shortly with a fix for this.
Workarounds
Image.open() has a formats parameter that can be used to prevent PSD images from being opened.
References
Pillow 12.1.1 will add release notes at https://pillow.readthedocs.io/en/stable/releasenotes/index.html
Common Weakness Enumeration (CWE)
ADVISORY - github
Out-of-bounds Write
GitHub
CREATED
UPDATED
ADVISORY IDGHSA-cfh3-3jmp-rvhc
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)